05.10.2024
Top 5 Best Jobs for Your PMP Certification in 2024
Posted by Marbenz Antonio on September 6, 2022
Despite the recent decline in the value of cryptocurrencies, cryptojackers—trojanized currency miners that attackers disseminate to leverage the processing power of infected devices for their purposes—remain common. Every month for the previous few months, Microsoft Defender Antivirus has found cryptojackers on tens of thousands of computers. Additionally, these threats are still developing: recent cryptojackers have improved their secrecy by using living-off-the-land binaries (LOLBins) to avoid detection.
Microsoft Defender Antivirus integrates with Intel® Threat Detection Technology (TDT), which applies machine learning to low-level CPU telemetry to detect threats even when the malware is obfuscated and can evade security tools, to provide advanced protection against these increasingly complex and evasive threats.
The defender uses this silicon-based threat detection to examine signals from the CPU performance monitoring unit (PMU) to find the “fingerprint” of malware code execution at runtime and to learn more about the CPU, where malware is ultimately executed. Effective defense against cryptojacking is made possible by the technology’s combination of monitoring at the hardware level, CPU usage pattern analysis, and use of threat intelligence and machine learning at the software level.
We discuss specifics from our monitoring and observation of cryptojackers in this blog article, as well as how the combination of Intel TDT and Microsoft Defender Antivirus detects and neutralizes this complex threat.
Without the user’s knowledge or consent, there are lots of ways to force a device to mine bitcoin. The following are the three methods that cryptojackers most usually utilize:
Malicious code that is present in either the filesystem or a website and that is very simple to identify and block is used in both the executable and browser-based techniques. The fileless method, on the other hand, makes use of preinstalled tools or local system binaries to mine utilizing the device’s RAM. With this strategy, attackers can accomplish their objectives without depending on particular codes or files. Additionally, the fileless method makes it possible for cryptojackers to be supplied covertly and avoid detection. As a result, attackers find the fileless approach more appealing.
Even if newer cryptojackers employ the fileless method, one way to spot cryptojacking activity is when it communicates with the hardware that its mining algorithm depends on.
Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT.
In campaigns that have been seen, attackers strongly favor the misuse of notepad.exe over a lot of legitimate system utilities.
We investigated a fascinating cryptojacking operation that made use of notepad.exe and some other programs to carry out its operations. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious actions. The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
An archive file containing autoit.exe and a heavily disguised, randomly named.au3 script serves as the threat’s delivery device. Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
The script then places a copy of itself and autoit.exe in a C:ProgramData folder with an optional name. The script sets autostart registry entries to run the script each time the device begins and sets a scheduled task to remove the original files.
The software first adds persistence mechanisms, uses process hollowing to load malicious code into VBC.exe, and then connects to a C2 server to listen for commands. The script uses process hollowing to load its cryptojacking code into notepad.exe based on the C2 response.
A sharp increase in CPU use can be seen at this moment as the malware launches its cryptojacking operation using malicious code injected into notepad.exe:
Both Intel TDT and Microsoft Defender Antivirus examine this unusually high CPU utilization in real time. Microsoft Defender Antivirus blocks the execution of the process (Behavior: Win32/CoinMiner.CN!TDT), and Microsoft Defender for Endpoint raises an alert based on Intel TDT’s machine learning-based correlation of CPU telemetry and other suspicious activities like process injection into system binaries.
Microsoft Defender Antivirus and Intel TDT jointly monitor and correlate hardware and software threat data to find evasive cryptojackers. Utilizing signals from the CPU, Intel TDT uses machine learning to identify patterns that resemble cryptojacking activities. The action is then recognized and blocked at the software level using these signals, threat information, and machine learning algorithms from Microsoft Defender Antivirus.
To provide continuous monitoring, Intel TDT has implemented some performance improvements and optimizations, such as shifting the machine learning inference to Intel’s integrated graphics processing unit (GPU). From the 6th generation onward, Intel Core™ processors and platforms bearing the Intel vPro® name are compatible with this feature. When appropriate, Microsoft Defender Antivirus uses these offloading features by design.
The threat intelligence that feeds into products like Microsoft Defender Antivirus and Microsoft Defender for Endpoint, where information is transformed to customer security in real-time, is powered by Microsoft’s consistent monitoring of the threat landscape in addition to industry collaborations.
Ready to unlock the full potential of Cryptojackers? Click now to access and discover how Hardware-Based Security Against Advanced Cryptojackers.
Explore more about Microsoft in this website.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com